Odabrana Poglavlja iz Računalnih Mreža

Network Firewalls

Mario Čagaljmario.cagalj@fesb.hr

FESB Sveučilište u Splitu

8/5/2007.

2

Introductiono Computer security is hardo Security of networked computers is much harder

o Organizations/companies/universities are connected to the Interneto “Outside world” can reach and interact with local network assetso Internal networks comprise hundreds of computers running Unix, Wino Local computers running different (potentially vulnerable) services

• FTP, Telnet, DNS, ARP, rlogin, Skype, POP, IMAP, ICMP…• New Internet vulnerabilities and flaws discovered on a daily basis

o How to protect efficiently a large heterogeneous internal network?o Security flaws discovered -> upgrade each potentially affected system

• Does this approach scale well? o Better, insert a firewall between the internal network and the Internet

• Establish a controlled link between the internal trusted network and the untrusted network (e.g., Internet)

3

What is a Firewall?o Originally, firewall used to define a barrier constructed to prevent the

spread of fire from one part of the building to anothero Network firewalls are barriers between networks, which prevent or deny

unauthorized traffic between the networkso There exists no unified definition, but essentially:

A network firewall is a system or a group of systems used to control access to or from a protected (trusted) network, using preconfigured set of rules and filters.

o Firewalls can be a single router, multiple routers, a single host system or multiple hosts running firewall software, hardware device or anycombination

Trusted network Untrusted network

Firewall

4

Firewall Characteristicso Main design goals

o All traffic from inside to outside, and vice versa, must pass through the firewall

o Only authorized traffic (as defined by the local security policy) will be allowed to pass

o The firewall is immune to penetration

o What firewalls can do – positive effects?o User authentication

• Firewalls can be configured to require user authentication• Enforce different access control policies (different users different rights)

o Auditing and logging• Useful statistics for updating current security and utilization policies

o Security and privacy• Some firewall systems can hide internal (trusted) networks from external

(untrasted) networks - Network Address Translator (NAT) • No DNS traffic outside the internal network• Can shield services from unwanted scans

5

Firewall Characteristics contd.o What firewalls can do – negative effects?

o Traffic bottlenecks• All the traffic is forced to go through the firewall system (to be inspected)

o Single point of failureo Complex managemento User frustration

• “Arrgh, my Skpye communication doesn’t go through!”• Users may try to go around -> a serious security problem

o What firewalls cannot do?o Installed firewall does not imply that the protected network is 100%

secure (other security measures necessary)o Firewalls does not protect against inside attacks

• Inside traffic is not routed through the firewallo Unwanted and unauthorized backdoors

• Modem dial-in access, WiFi accesso Firewalls cannot protect against the transfer of viruses or malicious

codes • Generally, firewalls do not inspect a packet payload (not practical)

6

Basic Firewall Design Policieso Firewalls generally implement one of two basic design policies:

1. Permit any service unless it is explicitly denied2. Deny any service unless it is explicitly permitted

o 1st policyo Firewall allows all services to pass into the internal network by defaulto Blocks those services that the service access policy has identified as

disallowed o More flexible but less desirable than the 2nd design policy

o 2nd policyo Firewall denies all services by defaulto Passes those services that have been identified as allowedo Stronger and safer than the 1st policyo Legitimate traffic may suffer until the correct rules and filters

identified and implementedo Most often recommended

7

Types of Firewalls

Application

o Firewall’s basic design policies can be enforced by using different types of packet-screening (inspection) methods

o The packet-screening methods are distinguished by how firewalls use pre-configured rules, filters, information gathered from packets and sessions to allow or deny traffic

o The three common types of firewalls (screening methods) are:o Packet Filtering firewallo Stateful packet Inspection firewallo Application-level Gateways/proxies

Application

TCP/UDPTCP/UDP

IPIP

TCP/IP protocol suite

Application GatewaysApplication Gateways

Packet FiltersPacket FiltersStateful InspectionStateful Inspection

Data-link layerData-link layer

Physical layerPhysical layer

+ hybrid methods

8

Packet Filtering Firewallo The simplest packet screening method – simply filters packets

o Each packet is inspected individually, without any regard to other packets o Filtering rules are based on information contained in a packet

o Source IP addresso Destination IP addresso Protocol type (TCP/UDP/ICMP)o Source porto Destination port

Internet Private networkPrivate network

ApplicationApplication

TCP/UDPTCP/UDP

IPIP

Data-link layerData-link layer

Physical layerPhysical layer

2 1 2

Packet-filtering router(e.g., dual-homed)

Security perimeter

9

Packet Filtering Firewall contd.o Operation:

o The packet filter is set up as a list of rules based on matches to fields in the IP or TCP headers

o If there is a match to one of the rules, the rule is invoked to determine whether to forward or discard the packet

o If there is no match to any rule, a default action is take• Discard (2nd firewall design policy)• Forward (1st firewall design policy)

Action Ourhost IP Port Theirhost IP Portallow Host A 25 * *

“*” is a wildcard designator that matches everything.“SMTP (Simple Mail Transfer Protocol) Port 25” is the port used to send/receive e-mail.

10

Packet Filtering Rules: Examples

Action Ourhost IP Port Theirhost IP Portblock * * Host A *allow Host B 25 * *

Inbound mail is allowed (port 25 is for SMTP incoming), but only to Host B. Packets from an externalHost A are blocked because that host does not comply with our email policy.

Action Ourhost IP Port Theirhost IP Portblock * * * *

An explicit statement of the default policy. All rule sets include this rule implicitly as the last rule.

Action Ourhost IP Port Theirhost IP Portallow * * * 25

Specifies that any inside host can send mail to the outside. However, this rule also allows to an enemyto access to any internal host and port by originating his call from port 25 on the outside machine! Wehave to make distinction between incoming and outgoing packets to solve this problem.

11

Packet Filtering Rules: Examples

SMTP is based on TCP protocol. A TCP conversation consists of packets flowing in two directions. Even if all of the data is flowing one way, acknowledgment packets and control packets must flow the other way. We want to accomplish that only internal host can make calls to someone’s port 25. We can do this by paying attention to the direction of the packet, and by looking at some of the control fields. In particular, an initial open request packet in TCP does not have the ACK bit set in the header; all other TCP packets do. Thus, packets with ACK set are part of an ongoing conversation; packets without it represent connection establishment messages, which we will permit only from internal hosts. The idea is that an outsider cannot initiate a connection, but can continue one.

From: “Firewalls and Internet Security: Repelling the Wily Hacker.” Cheswick and Bellovin, 2003.

Action Src IP Port Dest IP Port Flagallow {our hosts} * * 25allow * 25 * * ACK

12

Packet Filtering: Advantageso Simplicity

o Each packet inspected without any regard to other packets from the same connection

o Speedo Packet filtering is done at the lower levels of the OSI model, the

time it takes to process a packet is much quicker o Transparent to the user

o Require no additional configuration for clientso Packet filtering firewalls are typically less expensive

o Usually present in standard firewall packageo Scale better than other types of firewalls

o Lower processing overheado Packet filtering firewalls are application independent

13

Packet Filtering: Disadvantageso Defining rules can be a very complex tasko Packer-filtering firewalls do not support user authenticationo Packet filters cannot prevent attacks that employ application

specific vulnerabilitieso Packet-filter firewalls do not examine upper-layer datao E.g., they cannot block specific application commands

o Vulnerable to IP address spoofing attackso The intruder transmits packets from the outside with a source IP

address set to an address of an internal hosto Countermeasure: discard any packet with an internal source address

if the packet arrives on an external interfaceo Vulnerable to the packet fragmentation attack

o Typically, a packet filter will make a filtering decision based on the first fragment of the packet

o The intruder uses the IP fragmentation option to create small fragments such that the TCP header information is forced into a separate fragment

14

Stateful Inspection Firewallso Uses the same packet-screening technique as packet filtering

o In addition, takes into account higher layer(s) contexto Inspects the packet from the network layer to the application layer to verify

that the packet is part of a legitimate connectiono Stateful packet inspection process

o Packet header information is examined and stored into a dynamic state tableo The packets are first compared to pre-configured rules or filters and allowed

to passed or blockedo The state table is then used to evaluate subsequent packets to verify that

they are part of the same connectiono The decision can be made based on the following information

o Source IP addresso Destination IP addresso Protocol type (TCP/UDP/ICMP)o Source porto Destination port o Connection state (derived from information gathered in previous packets)

15

Stateful Inspection Packet Filtering

ApplicationTCP/UDP

IPData layer

Physical layer

Packet 1

ApplicationTCP/UDP

IPData layer

Physical layer

Packet 2

ApplicationTCP/UDP

IPData layer

Physical layer

Packet 3

FirewallRule SetFirewallRule Set

Internet Private networkPrivate networkP 4 P 5 P 4

P 5

Allow

Discard

16

Stateful Firewall: Connection State Tableo Contains an entry for each currently established connectiono The packet filter will allow incoming traffic to ports only for

those packets that fit the profile of one of the entries

Source Address Source Port Destination

AddressDestination

PortConnection

State192.168.1.100 1030 210.9.88.29 80 Established192.168.1.102 1031 216.32.42.123 80 Established192.168.1.101 1033 173.66.32.122 80 Established192.168.1.106 1035 177.231.32.12 80 Established223.43.21.231 1990 192.168.1.6 80 Established210.99.212.18 2112 192.168.1.6 80 Established24.102.32.23 1025 192.168.1.6 80 Established

17

Stateful Inspection: Pros and Conso Advantages:

o Very little impact on network performance (very fast)o Application independent and transparent to userso More secure than basic packet-filtering (determines the connection

state between endpoints)o Have logging capabilities

o Disadvantageso Rules and filters quite complex to set, test and manageo Allows a direct connection to be made between two endpoints (like

basic packet filtering)

18

Application-level Gateway/Proxyo Also called a proxy server, considered the most complex packet

screening methodo Acts as a relay of application-level traffico Uses the application layer information to filter packets

o The direct connection is broken into two separate connectionso Interfaces on the proxy server do not forward packets -> a proxy

service must be implemented for each application protocol

TELNETFTP

SMTPHTTP

Application-levelgateway

Inside hostOutside host

Outside connection

Inside connection

19

Application Gateway/Proxy Operationo Outside connection

o A client issues a request to the gatewayo A connection is established between the client and the proxyo The proxy determines if the request is valid (by using the filter and

rules) and optionally if the user is authorized for the requested service (user’s authentication)

o In turn, the proxy sends a new request on behalf of the client to the desired destination

o Inside connectiono The destination responds to the proxy server o The proxy determines if the response is valido In turn, the proxy sends back the response from the destination to

the client

20

Application Gateway: Pros and Conso Advantages

o Does not allow direct connections between internal and external hostso Can analyze application commands of data packetso Does not route between an internal and an external networks

• Hides the internal network topology (similar to NAT)o Supports user-level authenticationo Supports logging at the application levelo Perhaps the most secure type of firewall

o Disadvantageso Can have a significant impact on network performanceo Each protocol (HTTP, FTP, SMTP) requires its own proxy applicationo Vulnerable to Denial-of-Service attackso Does not scale well

21

Circuit-level Gatewayo Does not examine individual packetso Instead, they monitor TCP or UDP sessionso Security consist of determining which connections will be allowedo Once a session has been established, it leaves the port open to

allow all the packets from the same session to pass o In many respects similar to application gateway, with the

difference that it operates at the Transport layer

Circuit-levelgateway

Inside host

Outside host

Outside connection

Inside connection

Out

Out

Out

In

In

In

22

Application of a Circuit-level Gatewayo A typical use is a situation in which the system administrator

trusts the internal userso The gateway can be configured to support application-level service on

inbound connections and circuit-level functions for outbound connection

o The gateway can incur processing overhead of examining incoming application data

o The gateway does not incur that overhead on outgoing data

23

Pseudo Firewallso Network Address Translation (NAT)

o Translates “internal” IP addresses of one network to “external” IP addresses on another network

o Static NAT• E.g., 12.1.8.4 <-> 162.145.14.3

o Pooled NAT (dynamical mapping to IP from a given pool of addresses)• E.g., 10.0.0.1-10.0.0.254 <-> 168.13.1.1-168.13.1.254

o Port-level NAT (dynamical mapping)• E.g., 10.0.0.1 <-> 168.13.1.1:1084

10.0.0.2 <-> 168.13.1.1:1085o Not really a network firewall

o Personal Firewallso Control an access to a single device (not to a trusted network)o “The defense in depth”

• Provides an additional level of protection

24

Firewall Architectureso Refers to a collection of firewall system components (hardware

and software), connectivity between them and the distribution offunctions between them

o The very first step in designing a firewall architecture is to identify the boundaries between different security domains (security perimeter)o The most common security perimeter is the boundary between an

organization’s LAN and the Internet

o To make a network more secure, it is advisable to use different types of firewalls within the same firewall system

o The most effective firewall architectures require that all the network traffic passes through them

25

Screening Router (Packet Filtering)

Internet

Screening (Filtering) Router

Trusted LAN

26

Screening Router (Packet Filtering)o The most simple and basic architectureo A host on local network and a host on the Internet can

communicate directlyo The communication is restricted to the types that are allowed by

the router (rules and filters)o Simple filtering based on the IP addresses and protocols

o Best suited for small and simple networkso Disadvantages:

o No logging capabilitieso Packet filtering rules may be complex and hard to testo A single component of protection

• If it fails, the security is compromised

27

Screened-host/Bastion-host Firewall Systemo Single-homed bastion host

Single-homedGateway

(Bastion host)

Trusted LAN

Screening Router

Internet

28

Screened-host/Bastion-host Firewall Systemo Consists of two systems:

o A packet-filtering routero Single-homed bastion host

• Bastion host servers as a platform for an application- or circuit-level gateway• Critical strong point in the network security

o Typically, the router is configured such thato Only IP packets, originating from the Internet, destined to the bastion host are

allowed ino Only IP packets from the bastion host are allowed out

o A direct connection between an internal host and a host on the Internet is also possible, for certain services (e.g., Web server)

o The bastion host performso Authentication and application proxy functions

o The system implements both packet-level and application-level filteringo Two points of defense (generally, an intruder would have to penetrate two

separate systems)o Still, if the filtering router is compromised, traffic could flow directly

through the router between the Internet and other hosts on the LAN

29

Dual-homed Gateway Architecture

Dual-homedGateway

(Bastion host)

Trusted LAN

Screening Router

Internet

30

Dual-homed Gateway Architectureo Consists of two systems:

o A packet-filtering routero Dual-homed bastion host (application proxy, packet forwarding

disabled)o Compared to the screened-host system, all the network traffic

passes through the bastion host o A direct connection between an internal host and a host on the

Internet is not possibleo The bastion host performs

o User authentication and application proxy functionso Two points of defense (an intruder must penetrate two separate

systems)o If the filtering router is compromised, traffic cannot flow

directly through the router between the Internet and other hosts on the LAN

31

Dual-homed Gateway Architecture contd.

Internet

Dual-homedGateway

(Bastion host)

Trusted LAN

MailServer

WebServer

Demilitarized Zone (DMZ)

Screening Router

32

Tri-homed Gateway

Internet

Tri-homedGateway

(Bastion host)

Trusted LAN

MailServer

WebServer

Demilitarized Zone (DMZ)

Screening Router

33

Screened-subnet Firewall Architecture

Single-homedGateway

(Bastion host)

Screening Router

Trusted LAN

Internet

MailServer

WebServer

Screening Router

DMZ

34

Screened-subnet Firewall Architecture

o Screened-subnet or DMZ typically created between two packet filtering routers

o Creates and isolated subnetworko The most secure architecture

o Three levels of defenseo The outside router advertises only the existence of the

screened subnetwork to the Internet, the internal network is invisible to the Internet

o The inside router advertises only the existence of the screened subnet to the internal network (no direct routes between the internal network and the Internet)

35

Literature

o “Firewalls and Internet Security: Repelling the Wily Hacker.” Cheswick and Bellovin, 1994.o http://www.wilyhacker.com/1e

o http://www2.rad.com/networks/2001/firewall/index.htm

o http://www.more.net/technical/netserv/tcpip/firewalls

o Any book on network security

o And, of course, Google :)